[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


        EXAMINATION OF THE GAO AUDIT SERIES OF HHS CYBERSECURITY

=======================================================================

                                HEARING

                               BEFORE THE

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 20, 2018

                               __________

                           Serial No. 115-142
                           
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                         


      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov
                        
                        
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
35-126 PDF                  WASHINGTON : 2019                     
          
--------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].                              
                        
                        
                    COMMITTEE ON ENERGY AND COMMERCE

                          GREG WALDEN, Oregon
                                 Chairman
JOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey
  Vice Chairman                        Ranking Member
FRED UPTON, Michigan                 BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois               ANNA G. ESHOO, California
MICHAEL C. BURGESS, Texas            ELIOT L. ENGEL, New York
MARSHA BLACKBURN, Tennessee          GENE GREEN, Texas
STEVE SCALISE, Louisiana             DIANA DeGETTE, Colorado
ROBERT E. LATTA, Ohio                MICHAEL F. DOYLE, Pennsylvania
CATHY McMORRIS RODGERS, Washington   JANICE D. SCHAKOWSKY, Illinois
GREGG HARPER, Mississippi            G.K. BUTTERFIELD, North Carolina
LEONARD LANCE, New Jersey            DORIS O. MATSUI, California
BRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida
PETE OLSON, Texas                    JOHN P. SARBANES, Maryland
DAVID B. McKINLEY, West Virginia     JERRY McNERNEY, California
ADAM KINZINGER, Illinois             PETER WELCH, Vermont
H. MORGAN GRIFFITH, Virginia         BEN RAY LUJAN, New Mexico
GUS M. BILIRAKIS, Florida            PAUL TONKO, New York
BILL JOHNSON, Ohio                   YVETTE D. CLARKE, New York
BILLY LONG, Missouri                 DAVID LOEBSACK, Iowa
LARRY BUCSHON, Indiana               KURT SCHRADER, Oregon
BILL FLORES, Texas                   JOSEPH P. KENNEDY, III, 
SUSAN W. BROOKS, Indiana                 Massachusetts
MARKWAYNE MULLIN, Oklahoma           TONY CARDENAS, California
RICHARD HUDSON, North Carolina       RAUL RUIZ, California
CHRIS COLLINS, New York              SCOTT H. PETERS, California
KEVIN CRAMER, North Dakota           DEBBIE DINGELL, Michigan
TIM WALBERG, Michigan
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
EARL L. ``BUDDY'' CARTER, Georgia
JEFF DUNCAN, South Carolina

              Subcommittee on Oversight and Investigations

                       GREGG HARPER, Mississippi
                                 Chairman
H. MORGAN GRIFFITH, Virginia         DIANA DeGETTE, Colorado
  Vice Chairman                        Ranking Member
JOE BARTON, Texas                    JANICE D. SCHAKOWSKY, Illinois
MICHAEL C. BURGESS, Texas            KATHY CASTOR, Florida
SUSAN W. BROOKS, Indiana             PAUL TONKO, New York
CHRIS COLLINS, New York              YVETTE D. CLARKE, New York
TIM WALBERG, Michigan                RAUL RUIZ, California
MIMI WALTERS, California             SCOTT H. PETERS, California
RYAN A. COSTELLO, Pennsylvania       FRANK PALLONE, Jr., New Jersey (ex 
EARL L. ``BUDDY'' CARTER, Georgia        officio)
GREG WALDEN, Oregon (ex officio)
  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Gregg Harper, a Representative in Congress from the State of 
  Mississippi, opening statement.................................     1
    Prepared statement...........................................     2
Hon. Diana DeGette, a Representative in Congress from the state 
  of Colorado, opening statement.................................     2
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, prepared statement.....................................     4

                               Witnesses

Sherri Berger, Chief Operating Officer, Centers for Disease 
  Control and Prevention
Suzi Connor, Chief Information Officer, Centers for Disease 
  Control and Prevention
Beth Killoran, Chief Information Officer, U.S. Department of 
  Health and Human Services
Greg Wilshusen, Director, Information Security Issues, Government 
  Accountability Office

                           Submitted Material

Subcommittee memorandum..........................................     6

 
        EXAMINATION OF THE GAO AUDIT SERIES OF HHS CYBERSECURITY

                              ----------                              


                        WEDNESDAY, JUNE 20, 2018

                  House of Representatives,
      Subcommittee on Oversight and Investigations,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 1:00 p.m., in 
room 2123, Rayburn House Office Building, Hon. Gregg Harper 
(chairman of the subcommittee) presiding.
    Present: Representatives Harper, Griffith, Brooks, Collins, 
Barton, Walberg, Walters, Costello, Carter, Walden (ex 
officio), DeGette, Castor, Tonko, Clarke, and Ruiz.
    Staff Present: Jennifer Barblan, Chief Counsel, Oversight 
and Investigations; Karen Christian, General Counsel; Ali 
Fulling, Legislative Clerk, Oversight and Investigations/
Digital Commerce and Consumer Protection; Jennifer Sherman, 
Press Secretary; Alan Slobodin, Chief Investigative Counsel, 
Oversight and Investigations; Peter Spencer, Professional Staff 
Member, Energy; Jessica Wilkerson, Professional Staff Member, 
Oversight and Investigations; Julie Babayan, Minority Counsel; 
Chris Knauer, Minority Staff Director, Oversight and 
Investigations; Miles Lichtman, Minority Policy Analyst; Kevin 
McAloon, Minority Professional Staff Member; and Samantha 
Satchell, Minority Policy Analyst.

  OPENING STATEMENT OF HON. GREGG HARPER, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF MISSISSIPPI

    Mr. Harper. Good afternoon. We are here today to hold a 
hearing examining the ongoing GAO audit series of HHS 
cybersecurity programs.
    Since the Committee submitted its request to GAO in 2013, 
GAO has performed three audits of major operating divisions 
within HHS. Today's hearing will provide an opportunity for the 
subcommittee to learn more about GAO's findings over this 
series of audits as well as the steps taken by HHS and its 
operating divisions to respond to these findings.
    Given that GAO has completed three of these audits, today's 
hearing will also provide an opportunity to examine HHS 
cybersecurity roles and responsibilities. These GAO audits 
provide a valuable opportunity for HHS and its operating 
divisions to reflect on its cybersecurity capabilities and 
improve from one to the next. Today's hearing will allow us to 
explore whether or not HHS has indeed taken advantage of these 
opportunities in the way that we would hope and expect that the 
Department has.
    Given the sensitivity of some of the findings identified by 
GAO, we have determined that it is appropriate for the bulk of 
this hearing to take place in a closed session. After opening 
remarks by Ranking Member DeGette, the subcommittee will vote 
to enter a closed session and then proceed from there.
    I want to thank our witnesses for appearing today.
    And I now recognize Ms. DeGette for any public comments 
before we vote to go into closed session.
    [The prepared statement of Mr. Harper follows:]

                Prepared statement of Hon. Gregg Harper

    Good afternoon. We are here today to hold a hearing 
examining the ongoing GAO audit series of HHS cybersecurity 
programs. Since the Committee submitted its request to GAO in 
2013, GAO has performed three audits of major operating 
divisions within HHS.
    Today's hearing will provide an opportunity for the 
Subcommittee to learn more about GAO's findings over this 
series of audits, as well as the steps taken by HHS and its 
operating divisions to respond to these findings. Given that 
GAO has completed three of these audits, today's hearing will 
also provide an opportunity to examine HHS cybersecurity roles 
and responsibilities.
    These GAO audits provide a valuable opportunity for HHS and 
its operating divisions to reflect on its cybersecurity 
capabilities and improve from one to the next. Today's hearing 
will allow us to explore whether or not HHS has indeed taken 
advantage of these opportunities in the way that we would 
hope--and expect--that the Department has.
    Given the sensitivity of some of the findings identified by 
GAO, we have determined that it is appropriate for the bulk of 
this hearing to take place in a closed session.
    After opening remarks by Ranking Member DeGette, the 
Subcommittee will vote to enter closed session and then proceed 
from there.
    I want to thank our witnesses for appearing today, and I 
now recognize Ms. DeGette for any public comments before we 
vote to go into closed session.

 OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF COLORADO

    Ms. DeGette. Thank you, Mr. Chairman.
    As you know, this committee has conducted a series of 
oversight work focused on cybersecurity, such as at the 
Department of Energy and HHS. GAO is doing critical work in 
testing the cyber defenses at various HHS agencies, and this 
report is the latest in that series.
    To that end, I look forward to examining these issues in 
more detail in executive session and to hearing what 
commitments these agencies can make to address the 
vulnerabilities.
    And, with that, I yield back.
    Mr. Harper. Ms. DeGette yields back.
    The chair recognizes himself for a unanimous consent 
request and to offer a motion.
    Because of the sensitive nature of this hearing, 
particularly its implications for national security, and after 
consultations with the minority, I will offer a motion that the 
subcommittee go into executive session.
    I yield to the ranking member for any comments on this 
procedure.
    Ms. DeGette. Thank you, Mr. Chairman.
    As I stated before, given the sensitive nature of this 
information, I support your motion.
    Mr. Harper. The chair moves that, pursuant to clause 2(g) 
of rule XI of the rules of the House, the remainder of this 
hearing will be conducted in executive session to protect 
information that might endanger national security.
    Is there discussion on the motion?
    Seeing none, if there is no discussion, pursuant to the 
rule, a recorded vote is ordered. Pursuant to rule XI of the 
U.S. House of Representatives, this will be a roll call vote.
    The clerk call the roll.
    The Clerk. Mr. Griffith?
    Mr. Griffith. Aye.
    The Clerk. Mr. Griffith votes aye.
    Mr. Barton?
    [No response.]
    The Clerk. Mr. Burgess?
    [No response.]
    The Clerk. Mrs. Brooks?
    Mrs. Brooks. Aye.
    The Clerk. Mrs. Brooks votes aye.
    Mr. Collins?
    Mr. Collins. Aye.
    The Clerk. Mr. Collins votes aye.
    Mr. Walberg?
    Mr. Walberg. Aye.
    The Clerk. Mr. Walberg votes aye.
    Mrs. Walters?
    Mrs. Walters. Aye.
    The Clerk. Mrs. Walters votes aye.
    Mr. Costello?
    [No response.]
    The Clerk. Mr. Carter?
    Mr. Carter. Aye.
    The Clerk. Mr. Carter votes aye.
    Chairman Walden?
    [No response.]
    The Clerk. Ms. DeGette?
    Ms. DeGette. Aye.
    The Clerk. Ms. DeGette votes aye.
    Ms. Schakowsky?
    [No response.]
    The Clerk. Ms. Castor?
    Ms. Castor. Aye.
    The Clerk. Ms. Castor votes aye.
    Mr. Tonko?
    Mr. Tonko. Aye.
    The Clerk. Mr. Tonko votes aye.
    Ms. Clarke?
    Ms. Clarke. Aye.
    The Clerk. Ms. Clarke votes aye.
    Mr. Ruiz?
    Mr. Ruiz. Aye.
    The Clerk. Mr. Ruiz votes aye.
    Mr. Peters?
    [No response.]
    The Clerk. Mr. Pallone?
    [No response.]
    The Clerk. Chairman Harper?
    Mr. Harper. Aye.
    The Clerk. Chairman Harper votes aye.
    Mr. Harper. Have all members been recorded?
    The clerk will report the vote.
    The Clerk. Mr. Chairman, on the vote, there were 12 ayes 
and 0 nays.
    Mr. Harper. The motion passes. The remainder of the hearing 
will be closed to the public and open only to our witnesses, to 
the members, and to essential staff.
    We will briefly recess to clear the room.
    [Whereupon, at 1:05 p.m., the subcommittee proceeded in 
closed session.]
    [Material submitted for inclusion in the record follows:]

                 Prepared statement of Hon. Greg Walden

    Mr. Chairman, thank you for holding today's hearing. As you 
explained, we are here today to examine the state of 
cybersecurity at CDC, and what the findings of this audit may 
mean for HHS cybersecurity more broadly. However, it is 
important to keep in mind that the issues and potential 
consequences of GAO's findings at the CDC go far beyond simply 
deficient technical controls.
    In 2013, this Committee requested that the GAO examine in 
detail the information security controls at four key HHS 
agencies--CMS, FDA, CDC, and NIH. Three of those audits are now 
complete, and the NIH is up next. Two years ago, upon the 
release of the FDA audit, the Committee had to call FDA senior 
leadership in a snowstorm to impress upon them to importance of 
closing the 165 vulnerabilities--many of them incredibly 
serious-identified by that GAO audit immediately.
    We had hoped that the CDC audit would be better, but in 
many ways it is worse. Not only are there more technical 
recommendations--184 in this case--but they are more severe. 
And, nearly a quarter of them appear to be duplicative of the 
vulnerabilities in the FDA audit. That includes, by the way, 
the vulnerability that caused the Committee to call over to FDA 
in a snowstorm.
    CDC today will discuss their efforts to date to remediate 
the findings cited by GAO once GAO made them aware of the 
various issues. I am glad that the CDC recognizes the severity 
of the GAO's findings, and is aggressively moving to mitigate 
these vulnerabilities. CDC also engaged a US-CERT ``hunt'' team 
at the Committee's request to investigate potential intrusions. 
When I spoke with Dr. Redfield yesterday he told me that fixing 
these problems is a top priority.
    We have many questions that I hope we can get answers to 
today. For example, why did it take a third-party audit to 
highlight the significant dangers that CDC's information 
technology strategy created? Why didn't CDC recognize this 
danger itself? And finally, if these findings and their 
potential consequences were fully recognized over a year ago, 
why wasn't the Committee told until the release of the 
restricted report last month?
    Chairman Harper highlighted some of the concerns around 
certain vulnerabilities like Finding 38, which CDC has 
confirmed existed in its vulnerable configuration for nearly 7 
years. The implications of this finding are astounding. For 
nearly 7 years, Finding 38 may have allowed a remote, Internet-
based attacker to access any CDC server, workstation, or other 
networked device, including such CDC systems as the ones on 
which the Federal Select Agent Platform or the Strategic 
National Stockpile program depend. These are serious threats 
with potentially grave consequences. And to make things worse, 
8 other GAO findings suggest that CDC's audit and intrusion 
detection capabilities were, and remain, so poor that CDC may 
not have detected whether Finding 38 or other critical findings 
were leveraged to penetrate the CDC.
    The severity of the findings at CDC show that we are still 
viewing cybersecurity as primarily a ``tech'' problem, when in 
fact we have moved far beyond that. The vulnerabilities at CDC 
were not merely a missing IT control deserving of a failing 
audit grade, but a national security threat. And because the 
appropriate amount of weight was not given to that fact a year 
ago, we are now even less well-positioned to understand what 
may have happened to--or, perhaps more accurately, who got 
inside--CDC's networks in the nearly 7 years that the Finding 
38 vulnerability existed.
    I greatly appreciate the hard work of the GAO, and I know 
the CDC does as well. The team that has done these audits at 
the Committee's request does incredible work. We must not lose 
sight of the context in which these vulnerabilities exist. 
There are malicious actors that wish to cause us great harm, 
and have already exploited vulnerabilities across the Federal 
Government. This hearing is a critical step in gaining a better 
understanding of what happened, so that we many ensure that all 
parties understand the potential consequences, and we may 
better position ourselves to ensure that it doesn't happen 
again.
    I want to thank our witnesses for testifying and look 
forward to today's discussion. Thank you, and I yield back.
                              ----------                              

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]


                                 [all]